Loading…

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Wednesday, April 27
 

9:00am EDT

Welcome
Welcome to DevSecOps Days Pittsburgh 2022!

Speaker
avatar for Hasan Yasar

Hasan Yasar

Technical Director, Continuous Deployment of Capability, Software Engineering Institute, Carnegie Mellon University
Hasan is a senior software engineer, software architect, and manager with 20+ years of experience in all phases of software development and the information modeling process. He has extensive knowledge of current software tools and techniques and extensive hands-on experience in software... Read More →


Wednesday April 27, 2022 9:00am - 9:15am EDT
Virtual

9:15am EDT

DevSecOps: Are We There Yet?
DevSecOps is a term and pursuit that has been underway for several years now. Despite that reality, there is still much to be desired with industry adoption and maturity. This talk will take a look at some of the areas of improvement in terms of technologies and practices that can help facilitate the desired outcomes of DevSecOps while also highlighting some of the remaining challenges.

Speaker
avatar for Chris Hughes

Chris Hughes

Co-Founder and CISO, Aquia, Inc.
Chris currently serves as the Co-Founder and CISO of Aquia. Chris has nearly 20 years of IT/Cybersecurity experience. This ranges from active duty time with the U.S. Air Force, a Civil Servant with the U.S. Navy and General Services Administration (GSA)/FedRAMP as well as time as... Read More →


Wednesday April 27, 2022 9:15am - 10:00am EDT
Virtual

10:00am EDT

Short Break
Take a short break, but be sure you're back in time for the next presentation!

Wednesday April 27, 2022 10:00am - 10:10am EDT
Virtual

10:10am EDT

#NoHobbyists
CyberSecurity has traditionally been regarded as a function of a distinct security group. In reality, security and cyber resilient software is the responsibility of everyone in the organization. There is a well intended call to "shift security left" but no one knows how! Instead, organizations are depending on developers to become cyber-savvy on their own. Attendees will learn about why to *not* shift left, how to build a new security culture, and tips, tricks, and tools for moving away from security hobbyists to having experienced pros.

Speaker
avatar for Tracy Bannon

Tracy Bannon

Senior Principal - Software Architect & DevOps Advisor, The MITRE Corporation
Passionate Architect!!! Tracy (Trac) Bannon is a Senior Principal in MITRE Corporation’s Advanced Software Innovation Center. She is an accomplished software architect, engineer, and DevSecOps advisor having worked across commercial and government clients.She is a passionate architect... Read More →


Wednesday April 27, 2022 10:10am - 10:40am EDT
Virtual

10:40am EDT

Short Break
Take a short break, but be sure you're back in time for the next presentation!

Wednesday April 27, 2022 10:40am - 10:50am EDT
Virtual

10:50am EDT

Are We Forever Doomed By Software Supply Chain Risks?
The adoption of open-source software continues to grow and creates significant security concerns for everything from software supply chain attacks in language ecosystem registries to cloud-native application security concerns. In this session, we will explore how developers are targeted as a vehicle for malware distribution, how immensely we depend on open-source maintainers to release timely security fixes, and how the race to the cloud creates new security concerns for developers to cope with, as computing resources turn into infrastructure as code.

Speaker
avatar for Steve Kinman

Steve Kinman

Field CISO, Snyk
Steve Kinman, a dedicated technology leader, with 20+ years of innovative compliance-driven security strategy knowledge and the ability to deliver scalable, principle-based security and privacy programs focused on business requirements. Most recently, he led a security program transformation... Read More →


Wednesday April 27, 2022 10:50am - 11:20am EDT
Virtual

11:20am EDT

Short Break
Take a short break, but be sure you're back in time for the next presentation!

Wednesday April 27, 2022 11:20am - 11:30am EDT
Virtual

11:30am EDT

Chaos Security Engineering: Integrating Security through Chaos
Building DevSecOps programs can be boosted and matured through using Chaos Engineering practices, but within a security context. This talk will introduce the concept of Chaos Security Engineering, why it will be useful in maturing DevSecOps program, and helpful resources and tools for starting your own program. This talk will also highlight the importance of the hypothesis mode of testing, which can also be seen in ethical hacking practices. The idea is to combine two separate ideas which have similar methodologies, to help integrate ongoing security testing throughout development cycles.

Speaker
avatar for Nikki Robinson

Nikki Robinson

Security Architect, IBM
I am a Security Architect with IBM by day, and an Adjunct Professor at Capitol Technology University. I am also an ICIT Fellow and President of the Infragard Maryland Chapter. I hold a Doctorate of Science in CyberSecurity, a PhD in Human factors, and industry certifications (CISSP... Read More →


Wednesday April 27, 2022 11:30am - 12:00pm EDT
Virtual

12:00pm EDT

Lunch Break
Get some lunch, take a little break, and join us in time for our afternoon keynote!

Wednesday April 27, 2022 12:00pm - 12:30pm EDT
Virtual

12:30pm EDT

How to Misuse and Abuse DORA Metrics
Creating a baseline and tracking metrics are required to improve the flow of delivery. The most common questions, when organizations begin, are "How can we measure CD? What metrics matter?" However, why are we measuring? What are our goals? In this talk, we'll be discussing some common metric anti-patterns. We'll also cover some examples of how to use metrics constructively to identify where improvement efforts should be applied and how to scale that knowledge across the organization.

Speaker
avatar for Bryan Finster

Bryan Finster

Value Stream Architect, Defense Unicorns
A passionate advocate for and practitioner of continuous delivery who knows from experience that CD improves outcomes for the end-user, the organization, and for the teams implementing it. Deploy more and sleep better.I have over two decades of experience delivering and supporting... Read More →


Wednesday April 27, 2022 12:30pm - 1:15pm EDT
Virtual

1:15pm EDT

Short Break
Take a short break, but be sure you're back in time for the next presentation!

Wednesday April 27, 2022 1:15pm - 1:25pm EDT
Virtual

1:25pm EDT

Implementing Pipelines to Automate Container Maintenance in Highly Regulated Environments
In a highly regulated environment, container images are built by a pipeline that enforces a variety of constraints, for example, to use the latest version of software dependencies. Existing tools can update top-level dependencies but stop short of updating entire dependency trees. A more complete solution would also update sub-dependencies required during a build. Our solution and the subject of this talk, uses a 'dependency pipeline'. More specifically, this is a series of automation steps which download and neatly package our container image’s dependencies, preparing them for installation in the pipeline of a given highly regulated environment. Using our dependency automations have cut the maintenance times of our developers from hours of effort each week to mere minutes. Additional key benefits of our solution are dependency version conflict avoidance and immediate CVE resolution. A Linux container (LXC) is typically composed of a set of files from custom software builds, downloaded dependencies, and common OS-specific files that are bundled together to deliver some reproducible functionality. Many of these files likely originate from open-source software repositories. Highly regulated environments pose stringent constraints on the functionality of active systems within their bounds such as disallowing the downloading of files from the open Internet. A common requirement for container builds in highly regulated environments is the use of dependencies that are locally stored or downloaded from the open internet using pre-approved package managers and repositories, which typically only contain a small subset of a container build’s needed dependencies. Successful container builds in this environment, are commonly obligated to use a list of required dependencies, which are not available in pre-approved repositories. The list includes for each dependency: a filename, hash value of the file, and an open internet download URL. During the build process, the list of files is downloaded from the provided URLs and placed into a clean local storage build context, within the highly regulated environment, and hash values are generated and compared to ensure file integrity. The validated files are then made available for container builds. Once built, the container enters a long-term maintenance lifecycle phase. In this phase, individual dependency updates are performed to resolve detected CVEs and CCEs, build errors, new version releases, etc... These updates, which are normally done by manually updating individual dependency entries in the required dependencies list, can cause version conflicts. This often occurs with the version update of a single dependency which contains sub-dependencies requiring the older version, or a deprecation of required functionality from the new version. The result is a build failure of unable to locate a compatible version. The current remedy is the non-trivial task of manually identifying and updating versions of multiple individual entries in the required dependencies list which often creates a high volume of cyclical sub-dependency version conflicts requiring hours of effort to analyze and mitigate. Our solution, as described above, resolve these issues.

Speaker
avatar for Rob McCarthy

Rob McCarthy

DevOps Engineer, Software Engineering Institute, Carnegie Mellon University
Rob McCarthy is a DevOps Engineer at the Software Engineering Institute. He works most closely with systems architecture and design surrounding Continuous Integration and Deployment operations. In his spare time Rob enjoys playing Red Team Capture the Flag and spending time with his... Read More →
avatar for Jose Morales

Jose Morales

Senior Researcher, Software Engineering Institute, Carnegie Mellon University
Jose is currently a Senior Researcher in the Software Engineering Institute, in the SSD Division, at Carnegie Mellon University. He has conducted research in cyber security since 1998 . He is a co-author of four best paper awards. He has conducted research in DevSecOps since 2016... Read More →


Wednesday April 27, 2022 1:25pm - 1:55pm EDT
Virtual

1:55pm EDT

Short Break
Take a short break, but be sure you're back in time for the next presentation!

Wednesday April 27, 2022 1:55pm - 2:05pm EDT
Virtual

2:05pm EDT

DevSecOps in the Cloud from the Lens of a Well-Architected Framework
Many engineering teams view DevSecOps initiatives from the perspective of being more secure from external threats/vulnerabilities. As a result, they focus more on the security aspect, rather than the architectural / engineering aspect.

In this talk, I try to focus on DevSecOps from the architecture perspective. I try to link DevSecOps with the common pillars of a Cloud based well-architected framework, and discuss how DevSecOps goes a step further from security, and delves into architectural practices .

Security is always there at the core, but the practices and patterns enforced by DevSecOps can be adopted/extended on a much wider scale, if we also factor in the engineering excellence, or architectural best practices that can be infused into the system as a direct consequence/correlation of adopting DevSecOps.

The idea of this talk is for audience to be able to link Architecture Best practices with DevSecOps initiatives, instead of just security.

Implementing DevSecOps without architectural best practices in mind, might not fail, but will surely be regarded as a missed chance to significantly improve the engineering discipline across an enterprise.

Speaker
avatar for Turja Narayan Chaudhuri

Turja Narayan Chaudhuri

Assistant Director, Cloud Platform, EY GDS
Currently working as an Assistant Director for Cloud Platform in EY GDS .Have overall 10 year experience in IT , with 5+ years in Cloud technologies .Before EY , I was working as a Cloud Solution Architect in Accenture and PwC India .I have worked with multiple enterprises in assisting... Read More →


Wednesday April 27, 2022 2:05pm - 2:35pm EDT
Virtual

2:35pm EDT

Short Break
Take a short break, but be sure you're back in time for the next presentation!

Wednesday April 27, 2022 2:35pm - 2:40pm EDT
Virtual

2:40pm EDT

Wrap-Up
Welcome to DevSecOps Days Pittsburgh 2022!

Speaker
avatar for Hasan Yasar

Hasan Yasar

Technical Director, Continuous Deployment of Capability, Software Engineering Institute, Carnegie Mellon University
Hasan is a senior software engineer, software architect, and manager with 20+ years of experience in all phases of software development and the information modeling process. He has extensive knowledge of current software tools and techniques and extensive hands-on experience in software... Read More →


Wednesday April 27, 2022 2:40pm - 3:00pm EDT
Virtual